Security Assessment through Google Tools
-Focusing on the Korea University Website
Mi Young Bae1,1, Hankyu Lim1,
1Department of Multimedia Engineering, Andong National University,
388 Seongcheon-Dong, Andong-City, Gyeongsangbuk-Do, Republic of Korea
[email protected], [email protected]
Abstract. Recent cyber-attacks have been targeted at websites in most cases.
Therefore, in the present study, the security vulnerability of home pages will be
diagnosed through Googling that can collect information the most easily based
on the home pages of universities in South Korea. The present study is
intended to promote people’s awareness of Google search engine’s methods of
attacking vulnerability and present countermeasures that can defend security
vulnerability revealed by Google hacking.
Keywords: Secure coding, Google Hacking, Security Assessment, Web site.
1 Introduction
Since software of today exchanges data in Internet environments, the possibility to be
attacked by malicious hackers always exists.
Target attacking activities that occurred in one year of 2013 increased by 91%
compared to the previous year and the number of spill accidents increased by 62%.
Through the spill accidents, more than 552 million IDs were exposed[1].
In addition, the number of web-based attack cases increased by 23% and one out of
eight lawful websites were shown to have serious vulnerable points.
As cyber-crimes become more and more rampant, the costs and time to solve
related problems are continuously increasing. This is part of facts revealed through
the 5th annual cyber-crime cost study conducted by Ponemon Institute. Through an
international study conducted in 2014 in seven countries by a US based company, it
was revealed that the average cyber-crime cost of US companies increased by 9% in
one year from 11.6 million dollars in 2013 to 12.7 million dollars in 2014. It was also
shown that the average time taken to solve cyber-crimes also increased from 32 days
in 2013 to 45 days in 2014[2, 3].
The recognition that to resolve this security vulnerability, rather than reinforcing
security systems against external environments, the development of sturdy software
by programmers is the most essential and effective is increasing.
Nevertheless, the number of pieces of personal information spilt over the last five
years reaches as high as 200 million including 10.81 million through auction hacking
(Feb. 2008), SK Broadband 6 million (April 2008), GS Caltex 11.25 million (Sept.
1 Corresponding Author : Hankyu Lim, [email protected]
Advanced Science and Technology Letters Vol.93 (Security, Reliability and Safety 2015), pp.9-13
http://dx.doi.org/10.14257/astl.2015.93.03
ISSN: 2287-1233 ASTL Copyright © 2015 SERSC
2008), SK Coms 35 million (July 2011) plus those cases of information spill that were
omitted from submitted data for the reason of personal information work transfer[4].
Although methods of stealing personal information which is so serious a problem
are diverse including hacking by outsiders and spills by insiders, ‘Googling’ through
Google searches is regarded as the easiest method.
Therefore, in the present study, the security vulnerability of home pages will be
examined through Googling that can collect information the most easily based on the
home pages of universities in South Korea and people’s awareness of Google search
engine’s methods of attacking vulnerability will be promoted. In addition,
countermeasures that can defend security vulnerability revealed by Google hacking
will be presented.
2 Checking Website Security Vulnerabilities
Since 2012, stepwise mandatory application of security by software development has
been institutionalized for public web services of domestic public institutions as a
countermeasure against security threats[5].
In particular, according to the 2014 educational institution home page security
vulnerability checking promotion plan, home page security vulnerability checking
items were distributed as part of the reinforcement of the checking of security
vulnerability in home pages operated by educational institutions such as si/do
education offices and universities. The detailed contents of the security vulnerability
checking items are as shown in <Table 1> and <Table 2>.
Table 1. OWASP Security vulnerability assessment items
Security Vulnerability Type
1 Injection 6 Sensitive Data Exposure
2 Broken Authentication and Session Management 7 Missing Function Level Access
3 Cross-Site Scripting (XSS) 8 Cross-Site Request Forgery (CSRF)
4 Insecure Direct Object References 9 Using Components with Known Vulnerabilities
5 Security Misconfiguration 10 Unvalidated Redirects and Forwards
Table 2. NIS Security vulnerability assessment items
Security Vulnerability Type
1 Directory listing vulnerability 5 WebDAV Vulnerability
2 File Download Vulnerability 6 Tech note Vulnerability
3 Cross-Site Scripting (XSS) 7 ZeroBoard Vulnerability
4 File Upload Vulnerability 8 SQL injection Vulnerability
Advanced Science and Technology Letters Vol.93 (Security, Reliability and Safety 2015)
10 Copyright © 2015 SERSC
Programmers want vulnerability in their programs to be completely removed so
that their programs can operate as secure programs. However, expertise about
vulnerability items cannot be obtained easily and there are difficulties in recognizing
how vulnerability items can be corrected.
3 Google Hacking
Google collect information through many major media. The types of collected
information include those pieces of information that are directly provided when major
tools of Google are used, those pieces of information that are collected by Google
robots web crawlers, those pieces of information that are provided by others when
they use Google’s tools, and those pieces of information that are obtained from third
party databases and business partners[6].
Googling is using Google searches to obtain information from the Web. However,
Googling has been abused and established as an easy way to extract personal
information. Although large firms that are highly interested in security are
implementing defensive measures against such extraction of personal information,
entities such as schools and hospitals are still vulnerable to such attacks.
Googling is used not only in extracting personal information but also in attacks that
find company computing system administrator account information and push
malignant codes onto the accounts because by searching under certain options, even
important personal information existing in the relevant sites can be identified.
4 Security Vulnerabilities Diagnosis through Google Hacking
A. Personal Information Disclosure Vulnerability
Even simple search words such as “member list” and “member list.xls” produced
approximately 450,000 search results and quite some of which were files containing
students’ birth days, phone numbers, and addresses. The contents could be seen
through downloading and file opening without any restriction.
Fig. 1. Google search results and disclosure of personal information file
This security vulnerability corresponds to the exposure of important information
among OWAP security vulnerability items and the file download vulnerability among
the security vulnerability checking items of the National Intelligence Service.
Advanced Science and Technology Letters Vol.93 (Security, Reliability and Safety 2015)
Copyright © 2015 SERSC 11
B. SQL Injection Vulnerability
This is a vulnerability item that enables attackers to insert SQL sentences into the
input form and URL input section in web applications interlocked with databases to
read and manipulate information in the database.
To find administrator pages in order to inject SQLs, administrator pages were
searched in Google using the keyword inurl:admin site:ac.kr. Through the searches,
quite a few of approximately 26,900 websites exposed administrator log-in screens as
they were.
Fig. 2. Google search results and administrator mode
C. Directory listing vulnerability
Since there was vulnerability that all directories or directories that contain
important information are listed outside due to the failure of setting index security in
public servers, Googling with intitle:index.of inurl:ac.kr produced approximately
1,610,000 search results and quite a few of them listed directories as they were.
Fig. 3. Google search results and directory listings
D. Error messages vulnerability
Advanced Science and Technology Letters Vol.93 (Security, Reliability and Safety 2015)
12 Copyright © 2015 SERSC
Since AP installation information, ID/PW information, and SQL injection attack
information are provided when error messages are searched at Google, detailed
information on server invasion pathways is provided.
This is the result of a search at Google using the keyword, ORA-00921:unexpected
end of SQL command inurl:ac.kr.
Fig. 4. Google search results and the error message exposure
5 Conclusion
In the present study, security vulnerability of the home pages of universities in South
Korea was diagnosed using very simple Google search words. According to the
diagnosis, quite some part with security vulnerability existed.
Nevertheless, concrete guidelines for methods for preventing or checking security
incidents by Google hacking are still insufficient.
To prevent Google hacking, vulnerability scanning of web servers should be
conducted using Google hacking vulnerability scanners and if any vulnerable points
are found, the cause should be grasped and necessary actions should be taken.
Hereafter, the security vulnerability of home pages of universities in South Korea
will be analyzed using Google hacking vulnerability scanners and methods for solving
the vulnerability will be presented based on the results of the analysis.
References
1. Symantec: Internet Security Threat Report, 2013 Trends, Volume 19, (2014)
2. Ministry of Public Administration and Security, Software Development Security Guide,
2012.5
3. http://www8.hp.com/kr/ko/software-solutions/ponemon-cyber-security-report/
4. Kim Namil,"Revealed personal information during 5 years is 200 millions, the penalty is
94.39 million won for 14 cases", 「Hankyeorae」, (2014)
5. Ministry of Security and Public Administration: Secure Coding Inspection Guide for e-gow
SW,(2014)
6. Greg Conti: Google knows you, Bpanbooks, (2009)
Advanced Science and Technology Letters Vol.93 (Security, Reliability and Safety 2015)
Copyright © 2015 SERSC 13